ebpfkit-monitor is a tool that detects and protects against eBPF powered rootkits

Last update: Dec 18, 2022

Overview

ebpfkit-monitor

ebpfkit-monitor is an utility that you can use to statically analyse eBPF bytecode or monitor suspicious eBPF activity at runtime. It was specifically designed to detect ebpfkit.

Disclaimer

This project is not an official Datadog product (experimental or otherwise), it is just code that happens to be developed by Datadog employees as part of an independent security research project. The rootkit herein is provided for educational purposes only and for those who are willing and curious to learn about ethical hacking, security and penetration testing with eBPF.

Do not attempt to use these tools to violate the law. The author is not responsible for any illegal action. Misuse of the provided information can result in criminal charges.

System requirements

golang 1.13+
This project was developed on an Ubuntu Focal machine (Linux Kernel 5.4)
Kernel headers are expected to be installed in lib/modules/$(uname -r) (see Makefile)
clang & llvm (11.0.1)
Graphviz (to generate graphs)
go-bindata (go get -u github.com/shuLhan/go-bindata/...)

Build

To build ebpfkit-monitor, run:

# ~ make

To install ebpfkit-monitor (copies ebpfkit-monitor to /usr/bin/ebpfkit-monitor) run:

# ~ make install

Getting started

Run ebpfkit-monitor -h to get help.

# ~ ebpfkit-monitor -h
Usage:
  ebpfkit-monitor [command]

Available Commands:
  graph       graph generates a graphviz representation of the ELF file
  help        Help about any command
  map         prints information about one or multiple maps
  prog        prints information about one or multiple programs
  report      prints summarized information about the maps and programs
  start       start monitoring the bpf syscall at runtime

Flags:
  -h, --help               help for ebpfkit-monitor
  -l, --log-level string   log level (options: panic, fatal, error, warn, info, debug or trace). Set to "debug" to see bpf events. (default "info")

Use "ebpfkit-monitor [command] --help" for more information about a command.

Examples

List all the program sections provided in the ELF file

# ~ ebpfkit-monitor prog --asset my_elf_file.o

Dump the bytecode of a program

# ~ ebpfkit-monitor prog --asset my_elf_file.o --section kprobe/my_program --dump

List all the programs that use the bpf_probe_write_user eBPF helper

# ~ ebpfkit-monitor prog --asset my_elf_file.o --helper BpfProbeWriteUser

List all the programs that interact with the "piped_progs" eBPF map

# ~ ebpfkit-monitor prog --asset my_elf_file.o --map piped_progs

List all the maps declared in the ELF file

# ~ ebpfkit-monitor map --asset my_elf_file.o

Monitor the bpf syscall and print events to the screen

# ~ sudo ebpfkit-monitor start --log-level debug

Monitor the bpf syscall and write the captured events in a file

# ~ sudo ebpfkit-monitor start --output /tmp

Monitor the bpf syscall, write the captured events in a file and ensure that only "bpftool" is allowed to use the "bpf" syscall

# ~ sudo ebpfkit-monitor start --output /tmp --allowed-processes "/usr/sbin/bpftool"

Generate a graph from the provided ELF file

# ~ ebpfkit-monitor graph -a my_elf_file.o
INFO[2021-08-03T13:19:12Z] Graph generated: /tmp/ebpfkit-monitor-graph-4104912074
# ~ fdp -Tsvg /tmp/ebpfkit-monitor-graph-4104912074 > ./graphs/output.svg

Future work

Move the project to BTF & CO-RE
Use lsm eBPF programs instead of bpf_override_return for access control

License

The golang code is under Apache 2.0 License.
The eBPF programs are under the GPL v2 License.

A very basic eBPF Load Balancer in a few lines of C

An eBPF Load Balancer from scratch As seen at eBPF Summit 2021. This is not production ready :-) This uses libbpf as a git submodule. If you clone thi

168 Jan 8, 2023

skbtracer on ebpf

skbtracer skbtracer 基于 ebpf 技术的 skb 网络包路径追踪利器，实现代码基于 BCC (required Linux Kernel 4.15+) 使用样例 skbtracer.py # trace

54 Dec 30, 2022

some experiments with ebpf

Learning eBPF and some kernel tracing, probe DNS + TCP connection with portable bpf prog. DevEnv Ubuntu 20.04 Install go Install make, clang, llvm Ins

11 Aug 4, 2022

Small utility that leverages eBPF to dump the traffic of a unix domain socket

UnixDump UnixDump is a small eBPF powered utility that can be used to dump unix socket traffic. System requirements This project was developed on a Ub

8 Nov 19, 2022

The Beginner's Guide to eBPF Programming for Networking

The Beginner's Guide to eBPF Programming for Networking As seen at Cloud Native eBPF Day 2021. Setup Create a container that we can issue curl request

79 Dec 23, 2022

Dectect syscall hooking using eBPF

BPF-HookDetect Detect Kernel Rootkits hooking syscalls Overview Details To Build To Run Example Test Resources Overview Kernel Rootkits such as Diamor

95 Dec 27, 2022

A collection of eBPF programs demonstrating bad behavior

Bad BPF A collection of malicious eBPF programs that make use of eBPF's ability to read and write user data in between the usermode program and the ke

288 Dec 26, 2022

A list of network measurement sketch algorithms implemented in eBPF

eBPF Sketches This repository contains a list of the most famous sketches implemented within the eBPF/XDP subsystem. In particular, we have: Count Ske

15 Dec 21, 2022

A Linux Host-based Intrusion Detection System based on eBPF.

eHIDS 介绍 eBPF内核技术实现的HIDS demo. 功能实现： TCP网络数据捕获 UDP网络数据捕获 uprobe方式的DNS信息捕获进程数据捕获 uprobe方式实现JAVA的RASP命令执行场景事件捕获 eBPF的go框架实现，针对kprobe\uprobe挂载方式，多类型even

291 Dec 30, 2022

Comments

eBPF need licese ?failed to start.

sudo ebpfkit-monitor start FATAL[2022-06-05T12:23:40Z] failed to start ebpfkit-monitor: failed to setup eBPF manager: failed to init eBPF manager: load license: missing license section I use strace to trace the syscall and info,but it did not get the license alert before.I've search the google and find nothing about it.

4351 execve("/usr/bin/ebpfkit-monitor", ["ebpfkit-monitor", "start"], 0x7fffb3caa7a0 /* 24 vars /) = 0 4351 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) 4351 openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 4351 newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=23241, ...}, AT_EMPTY_PATH) = 0 4351 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 4351 newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=2216304, ...}, AT_EMPTY_PATH) = 0 4351 openat(AT_FDCWD, "/sys/kernel/mm/transparent_hugepage/hpage_pmd_size", O_RDONLY) = 3 4351 openat(AT_FDCWD, "/proc/stat", O_RDONLY|O_CLOEXEC) = 3 4351 newfstatat(AT_FDCWD, "/usr/bin/getconf", {st_mode=S_IFREG|0755, st_size=35112, ...}, 0) = 0 4351 openat(AT_FDCWD, "/dev/null", O_RDONLY|O_CLOEXEC) = 3 4358 execve("/usr/bin/getconf", ["/usr/bin/getconf", "CLK_TCK"], 0xc00009cf70 / 24 vars */) = 0 4358 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) 4358 openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 4358 newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=23241, ...}, AT_EMPTY_PATH) = 0 4358 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 4358 newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=2216304, ...}, AT_EMPTY_PATH) = 0 4358 openat(AT_FDCWD, "/usr/lib/locale/C.utf8/LC_CTYPE", O_RDONLY|O_CLOEXEC) = 3 4358 newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=353616, ...}, AT_EMPTY_PATH) = 0 4358 openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache", O_RDONLY) = 3 4358 newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=27002, ...}, AT_EMPTY_PATH) = 0 4358 openat(AT_FDCWD, "/usr/lib/locale/C.utf8/LC_MESSAGES", O_RDONLY|O_CLOEXEC) = 3 4358 newfstatat(3, "", {st_mode=S_IFDIR|0755, st_size=4096, ...}, AT_EMPTY_PATH) = 0 4358 openat(AT_FDCWD, "/usr/lib/locale/C.utf8/LC_MESSAGES/SYS_LC_MESSAGES", O_RDONLY|O_CLOEXEC) = 3 4358 newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=48, ...}, AT_EMPTY_PATH) = 0 4358 newfstatat(1, "", {st_mode=S_IFIFO|0600, st_size=0, ...}, AT_EMPTY_PATH) = 0 4358 +++ exited with 0 +++ 4353 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4358, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- 4351 newfstatat(AT_FDCWD, ".", {st_mode=S_IFDIR|0700, st_size=4096, ...}, 0) = 0 4351 newfstatat(AT_FDCWD, "/root", {st_mode=S_IFDIR|0700, st_size=4096, ...}, 0) = 0 4351 openat(AT_FDCWD, "/proc/net/psched", O_RDONLY|O_CLOEXEC) = 3 4351 openat(AT_FDCWD, "/proc/stat", O_RDONLY|O_CLOEXEC) = 3 4351 readlinkat(AT_FDCWD, "/proc/self/exe", "/usr/bin/ebpfkit-monitor", 128) = 24 4351 openat(AT_FDCWD, "/etc/os-release", O_RDONLY|O_CLOEXEC) = 3 4351 openat(AT_FDCWD, "/proc/kallsyms", O_RDONLY|O_CLOEXEC) = 3 4351 --- SIGURG {si_signo=SIGURG, si_code=SI_TKILL, si_pid=4351, si_uid=0} --- 4351 openat(AT_FDCWD, "/etc/localtime", O_RDONLY) = 3 4357 +++ exited with 1 +++

opened by pythonmandev 13
Question about the error when running make command

Hi, I encountered this error when I am running the make command I'm suspecting its because kconfig.h does not exist at /lib/modules like what was stated in the system requirements But, I'm not really sure how I can resolve this issue as I'm a new Linux user, I've checked that the linux-headers is installed and the kconfig.h exists at /usr/src/linux-headers-4.19.0-20-common/include/linux. Anyone has any idea how I can resolve this issue? Thanks in advance.

opened by flairekq 7

Owner

Guillaume Fournier

GitHub

pwru is an eBPF-based tool for tracing network packets in the Linux kernel with advanced filtering capabilities.

pwru (packet, where are you?) pwru is an eBPF-based tool for tracing network packets in the Linux kernel with advanced filtering capabilities. It allo

1.1k Dec 28, 2022

Run WPS PIN attacks (Pixie Dust, online bruteforce, PIN prediction) without monitor mode with the wpa_supplicant

Overview OneShot-C - implementation of OneShot on C OneShot-С performs Pixie Dust attack without having to switch to monitor mode. Features Pixie Dust

19 Jan 6, 2023

libsinsp, libscap, the kernel module driver, and the eBPF driver sources

falcosecurity/libs As per the OSS Libraries Contribution Plan, this repository has been chosen to be the new home for libsinsp, libscap, the kernel mo

133 Dec 29, 2022

Linux Application Level Firewall based on eBPF and NFQUEUE.

eBPFSnitch eBPFSnitch is a Linux Application Level Firewall based on eBPF and NFQUEUE. It is inspired by OpenSnitch, and Douane, but utilizing modern

665 Dec 29, 2022

eBPF bytecode assembler and compiler

An eBPF bytecode assembler and compiler that * Assembles the bytecode to object code. * Compiles the bytecode to C macro preprocessors. Symbolic

6 Jan 23, 2022

A Rust crate that simplifies the integration of Rust and eBPF programs written in C.

This crate simplifies the compilation of eBPF programs written in C integrating clang with Rust and the cargo build system with functions that can be

19 Mar 16, 2022

bpflock - eBPF driven security for locking and auditing Linux machines

bpflock - Lock Linux machines bpflock - eBPF driven security for locking and auditing Linux machines. This is a Work In Progress: bpflock is currently

113 Nov 28, 2022

Parca-agent - eBPF based always-on profiler auto-discovering targets in Kubernetes and systemd, zero code changes or restarts needed!

Parca Agent Parca Agent is an always-on sampling profiler that uses eBPF to capture raw profiling data with very low overhead. It observes user-space

254 Jan 1, 2023

Example how to run eBPF probes without a usermode process using fentry

Pinning eBPF Probes Simple example to demonstrate how to pin kernel function and syscall probes. Overview From my reading of the kernel code, KProbe a

3 Jun 7, 2021

eBPF implementation that runs on top of Windows

eBPF for Windows eBPF is a well-known technology for providing programmability and agility, especially for extending an OS kernel, for use cases such

1.7k Jan 9, 2023